1. Scope and Objectives
Krungthai Card Public Company Limited ("the Company") is aware of the importance of protecting personal data of individuals who apply for financial products with the Company ("customers"), in accordance with the Personal Data Protection Act B.E. 2562. The Company’s Board of Directors therefore have considered and approved the personal data protection policy of the Company. The Company has prepared this notice which shall be applied to all customers with the purpose to explain the collection methods, usage, and disclosure of customer personal data relative to the provision of any of the Company’s services regarding financial products. Please carefully review this document to acknowledge and understand the purposes for which the company has collected, used, and disclosed customer personal data in accordance with this notice.
"Personal Data" is defined as information pertaining to customers that makes it possible to identify customers directly or indirectly, excluding information about the deceased person, corporate, or information that has been processed to make it unable to identify customers who are owners of the personal data.
"Sensitive Data"” is defined as personal data pertaining racial, ethnic origin, political opinion, doctrine beliefs, religion or philosophy, sexual behavior, and criminal record which affects the owner of personal data in a similar manner as specified by the Personal Data Protection Committee. The Company will collect, use and/or disclose sensitive data only when the Company has your consent or in cases where the Company is required to as permitted by law. The Company may need to collect, use and/or disclose personal biometric data such as facial recognition data, fingerprint recognition data, iris recognition data, and voice recognition data for the purpose of verifying the identity of users who request to apply and/or make transactions through various channels.
““Personal Data Processing”” is defined as any action that the Company takes on customers' personal data, including the collection, use, disclosure, and deletion of personal data.
is defined as financi is defined as financial products of the Company, including KTC credit cards, KTC PROUD cash cards, KTC P BERM personal loans, as well as card-accepting merchant services, such as electronic data capture services (EDC), KTC Gateway services, etc.
2. User of Customer Personal Data
The Company is the " Data Controller" of every customer and therefore have the duty and responsibility in terms of processing and maintaining the security of customers’ personal data. The processing of personal data will be done as is necessary for service to process requests depending on the case which may include sales promotion or marketing. Personal data usage will be performed with objectives, limitations, and methods as specified by law.
In addition, the Company may send your personal data to agencies or third parties to act as " Data Processors" on behalf of the Company.
3. Customer Personal Data that the Company May Collect
In terms of access and usage of the Company's financial services, customers are required to provide personal data for customer identification in order to be able to use the service and/or perform financial transactions related to financial products. This personal data includes:
- Personal data as specified in the application form
- Identification documents used as required documents for application
- Credit information
- Financial transaction information
In addition, the Company also processes personal data pertaining to usage via the Company's information technology systems, including CCTV, building entry and exit systems, and traffic data through the computer in accordance with The Computer Crime Act.
In general, the Company collects the majority of personal data directly from customers through the application to become a financial product member. However, the Company may collect additional information from other sources, such as external service providers, etc. Information obtained from other sources will already have been reviewed or certified for usage for the purposes as explicated in this notice.
The Company may process personal data that allows customer identification through a documented form and/or images and/or electronic format.
4. Purpose of Customer Personal Data Usage
The Company uses customers’ personal data to process following purpose that related to providing financial services. The Company processes customers’ personal data with reason (based on data processing) which may be based on one reason or several reasons combined, as follows:
4.1 Because the Company has a Duty to Comply with the Contract : Processing in Accordance with the Contract
In order for customers to use the company’s financial products as customers who are contract parties with the company or according to customers’ requests before or during usage of the company’s financial products, such as:
(1) Financial product service application; analysis, review, and notification of approval; information/personal data or account data revision service; customer relations related services; processing for service/product development; offering of special privileges; deliver/transfer of personal loans; payment services; receipt issuance; notify loan payments or product renewals.
(2) Other procedures with the purpose of providing contractual services, such as accepting complaints, debt collection, compound a debt, and risk management.
(3) The Company will take the aforementioned data to process by the Company and/or by the collaboration with third parties such as debt collection, sales promotion or the installation of electronic data capture machines, etc.
4.2 Because the Company Needs to Perform in Accordance to the Legitimate Interests of the Company: Processing in Accordance with Legitimate Interests
The Company may use customers' personal data in terms of managing, internal auditing, internal report generating, performing system maintenance to maintain service standards, as well as performing the company's risk management and normal internal operations as legitimate interests, such as:
(1) Voice recording through the Member Services Center or CCTV recording.
(2) Customer relationship management such as handling complaints, assessing satisfaction towards notification service or the offering of similar financial products in which customers already exist with the company for his/her benefit.
(3) Enterprise risk management and internal management including forwarding to affiliate companies within the same business network to perform aforementioned processing.
(4) Control, prevent, mitigate or transfer risks that may occur from fraud, cyber threats, default payments or breach of the agreements, violation of various laws (i.e. the prevention of money laundering, providing financial support for terrorism, the spread of weapons of mass destruction, conducting offence in relation to property, life, body, liberty or reputation, etc.) as well as sharing personal data to raise the standard of work of companies in the financial business sector in controlling, preventing, mitigating or transferring the above risks.
(5) The collection, usage and/or disclosure of personal data of directors, authorized individuals and representatives of corporate clients.
(6) Contacting, video and sound recording of meetings, trainings, recreational events or booth events.
(7) Collection, usage and/or disclosure of personal data of persons with a court's receivership order.
4.3 Because the Company Needs to Comply with Laws: Processing in Accordance with Legal Obligation Compliance
The Company may process customers’ personal data in order to legally comply to the laws of the department, that supervise the business operations of the Company, such as the Bank of Thailand, Office of the Consumer Protection Board, Office of Economic Affairs, Ministry of Finance, Office of the National Counter Corruption Commission, Office of the Personal Data Protection Committee, and etc. This is also inclusive of legal rules governing business dealings in the capital market, such as the Cyber Security Act B.E. 2562, the Anti-Money Laundering Act B.E. 2542, Debt Collection Act B.E. 2558, and other laws that the Company is subjected to report data both domestic and abroad, including notices and regulations issued under the aforementioned laws, such as the Civil Procedure Code, which gives the court the power to order the parties to send documents or information in the trial, etc
4.4 Because the Company Received Customer Consent: Processing in Accordance with Consent
The Company will request the customers’ consent to process his/her personal data for marketing purposes, sales promotion, offers of special privileges, products, services, or for statistics, studying, analysis, research, and evaluation of results, and for any other purpose which is not forbidden by law.
The processing of customer personal data will only be done for the stated purposes only. In some cases, the Company may consider processing a customer's personal data for other relevant and non-conflicting purposes, or in addition to the original objectives. However, in the case that the Company needs to process the data for other purposes that are unrelated to the original objectives, as such, the Company shall requesting new consent for the use of data of the new purpose.
If customers wish to withdraw the aforementioned consent, him/her may contact the Company and inform of his/her request according to Article 11. Any withdrawal of consent may affect customers in terms of usage of products and/or financial services, for instance, no notifications for special privileges, new promotions or deals; improved service and products that cater to customers’ needs or new information that may be beneficial. Therefore, for the customer’ benefit, he/she should meticulously study or inquire of consequences prior to withdrawing consent.
5. Disclosure of Personal Data to Third Party
The Company may disclose customers’ personal data to third party as necessary for data processing in accordance with contractual, legal responsibilities or as agreed upon by the customer. The Company may send customers’ personal data to the following third party:
1) Agents and contractors or external service providers. For these individuals and/or juristic persons to provide services to the Company and its customers, including financial business groups. financial institutions, business partners, business alliances who share products, consultants, experts and service providers such as information and communication technology, insurance companies, companies that coordinate travel for seminars, meeting planners, Thailand Securities Depository, persons responsible for the issuance and offering of securities, those responsible for debt collection, installation of electronic data capture machines, for sale promotion, for bank of merchant acquiring and other external individuals the Company works with, in order to provide service related to financial products and company-related services.
2) In the event that customers have primary card and a supplementary card, or joint loan or guarantees and/or have conducted any other financial transactions involving two or more persons, the Company may disclose personal data of both customers and those involved with transactions.
3) Regulators, government agencies or agencies that are responsible for supervision, such as the Bank of Thailand, Securities and Exchange Commission, National Credit Bureau, Office of the Consumer Protection Board, Office of Economic Affairs, Ministry of Finance, Office of the Anti-Money Laundering, Revenue Department, Office of the National Counter Corruption, Department of Legal Execution, Ministry of Justice, National Police Agency or any persons in which the Company must disclose information to the extent required by relevant laws or regulations, including in other specific cases, such as according to a court order
4) For the establishment of claims under the contract, under the law of the Company, or to take action against legal claims.
5) The Company may send or transfer customer information to other countries in order to comply with the contract between the Company, other persons or juristic persons for the benefit of the customers, or to meet legal requirements. The destination country receiving the data must be screened by the Personal Data Protection Committee that there is adequate data protection standard, or the agency or organization receiving the data must be inspected and certified by the Office of the Personal Data Protection Committee, to ensure that there are appropriate personal data protection measures.
6. Processing by Automation
Under the explicit consent from the customer, the Company may use customers’ personal data to process by automation which may affect the customer's profile, or in order to gather other information, such as marketing data, etc. If customers wish to withdraw the aforementioned consent, him/her may contact the Company and inform of his/her request according to Article 11.
7. Right of Customer to Personal Data
Customers have rights to the customers’ personal data. Customers may request to exercise their rights under legal requirements and specified notice which are currently scheduled or will be amended in the future as follows:
- Right to be informed by receiving notifications regarding the processing of personal data, method of data collection, the person who will receive the information, and reasons and duration of personal data collection.
- Right of access. Customers may obtain a copy of his/her personal data under the responsibility of the company, and may check whether the Company has processed the data in compliance to the law or not.
- Right to data portability. The Company has formulated personal data in a form that can be read, or used in general with tools or devices that work automatically, and processed by automatic methods. Customers may request the Company to directly send or transfer personal data to other people using automated methods, or to request personal data that the Company has sent or transferred directly to another person, with the exclusion of technical difficulties.
- Right to object the processing of personal data. Customers may object in the event that the Company processes customers’ data.
- Right to request personal data removal, destruction or right to be forgotten. Customers may request to delete, destroy or make personal data unidentifiable.
- Right to restrict processing. Customers may request to suspend the use of personal data when the Company is undergoing an investigation after customer request to make changes to personal data, or when the Company is in the process of verifying or examining the request to exercise the right of objection by the customer.
- Right of rectification. Customers are able to request changes to data to make it correct, complete, and up to date in the case that customers discover their information is incorrect, incomplete and not up to date.
Customers have the right to submit a request to exercise their rights with the Company. In some cases, the Company may refuse to exercise the rights of customers based on reasons given in further notices. Customers can file a complaint with the Office of the Personal Data Protection Committee should they disagree with the reason(s) provided by the Company.
Any customer requests for the exercise of customer rights as described above must be performed in writing. The Company will use its best efforts to process or clarify within 30 days or not exceeding the time specified by law. The Company will comply with legal requirements pertaining to customer rights as owners of personal data. In the event that customers make a request for the Company to delete, destroy, or eliminate the processing of personal data, temporarily suspended its usage, change personal data in an unidentifiable data format or to withdraw consent, any of these options may cause restrictions with the Company in terms of performing transactions or providing services to customers. In exercising the above rights, the Company reserves the right to charge relevant and necessary costs to process personal data as requested by customers.
8. Duration of Personal Data Collection
According to the principles of collecting necessary personal data, the Company will collect your personal data within a timeframe as long as necessarily for the purposes of data collection according to the following:
- Customer personal data will be collected throughout the period the customer has a status of a financial product member, not exceeding 10 years from the day of the end of the customer's membership period.
- In cases where customers are declined as financial product members, the Company will collect personal data of any declined customers for a period not exceeding 1 year from the date of disapproval.
- In the case that the storage period has expired, the Company will delete or make personal data unidentifiable.
9. Methods that the Company Utilizes to Protect Customers' Personal Data
The Company’s protection of personal data follows the "Information Security Management System Standard (ISO / IEC 27001: 2013)”.
10. Amendments to the Personal Data Protection Policy
The Company may consider the review of Personal Data Protection Notice for Customer. If changes occurred, the Company will be providing an early notice on the Company's website and through notified channels.
11. How to Contact the Company
In the event that customers wish to exercise their rights, withdraw consent for processing of customer personal data, or have questions regarding the Company’s processing of personal data, may contact:
Customer Service :Tel. 02 123 5000
Contact Address : Krungthai Card Public Company Limited
Address: 591 United Business Centre II, 14th Floor, Sukhumvit 33 Road, Khlong Tan Nuea, Wattana, Bangkok 10110 Tel. 02 123 5000
Data Protection Officer Email Address: DataProtectionOfficer@ktc.co.th
If the customer foresees that the processing of customers’ personal data does not comply with the Personal Data Protection Act B.E. 2562, the customer has the right to make a complaint to the Office of the Personal Data Protection Committee.
This notice is an advance notice to come into effect from May 27, 2020. However, if the enforcement of personal data protection under the Personal Data Protection Act B.E. 2019 has postponed the effective date, likewise, this notice shall postpone its effective date to the date of personal data protection in compliance with the law, effective only in sections that have been postponed.